Richard87
commented
3 years ago Chaning AllowedIps to be specific ip, and not a subnet solved all my issues!
Chaning this: AllowedIPs = 192.168.43.0/24
to this: AllowedIPs = 192.168.43.100/32
Closed Richard87 closed 3 years ago
Richard87
commented
3 years ago Chaning AllowedIps to be specific ip, and not a subnet solved all my issues!
Chaning this: AllowedIPs = 192.168.43.0/24
to this: AllowedIPs = 192.168.43.100/32
DeedleFake
commented
2 years ago Leaving this here for anyone else who finds this:
I had this same problem, except that my addresses didn't end in .0 or ::. Make sure that you've got /32 for IPv4 and /128 for IPv6 on the allowed IPs, or at least unambiguous subnets that don't overlap with any other peers', or else the first client to connect will work and the second won't, as WireGuard will already have decided that everything needs to be routed to the first one and just simply not set up the routing for the second client.
bachmarc
commented
2 years ago That is absolutely the point! One tends to think of a roadwarrior setup but actually its is a net2net connection all the time and for a road warrior its is clever to limit the size of the remote network to /32 mask. Otherwise wireguard silently routes only to first in list and they others get (none)...
THX!!! I spend an hour to search for the reason...
areeb111
commented
8 months ago @DeedleFake Thanks, that's solved my issue, I was thinking that allowed IPs whitelisting all the subnet to that peer, But it seems like routing :) Thanks again
alconino
commented
6 months ago Hello,I have an rpi with wireguard as a server with this config:
[Interface]
Address = 192.168.1.80/29 ListenPort = 51840 PrivateKey = XXXXX PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORW> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FO> [Peer] PublicKey = YYYYY AllowedIPs = 0.0.0.0/0 PersistentKeepAlive = 25
The client configuration is:
[Interface] Address = 192.168.1.101/32 PrivateKey = ZZZZZ DNS = 8.8.8.8, 8.8.4.4
[Peer] PublicKey = AAAAA AllowedIPs = 0.0.0.0/0 Endpoint = 2dirIPPublica_router:51840 PersistentKeepalive = 25
I have sudo sysctl net.ipv4.ip_forward activated
When I set up the Wireguard server on the RPI, I am left without an internet connection, although it is curious, because although I cannot navigate out, it seems to accept my VPN connections.
Terminal output detail:
systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2023-12-08 01:07:25 CET; 30s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 3657 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 3657 (code=exited, status=0/SUCCESS) CPU: 556ms Dec 08 01:07:25 rpi wg-quick[3657]: [#] ip -4 address add 192.168.1.80/29 dev wg0 Dec 08 01:07:25 rpi wg-quick[3657]: [#] ip link set mtu 1420 up dev wg0 Dec 08 01:07:25 rpi wg-quick[3657]: [#] wg set wg0 fwmark 51820 Dec 08 01:07:25 rpi wg-quick[3657]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 Dec 08 01:07:25 rpi wg-quick[3657]: [#] ip -4 rule add not fwmark 51820 table 51820 Dec 08 01:07:25 rpi wg-quick[3657]: [#] ip -4 rule add table main suppress_prefixlength 0 Dec 08 01:07:25 rpi wg-quick[3657]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Dec 08 01:07:25 rpi wg-quick[3657]: [#] nft -f /dev/fd/63 Dec 08 01:07:25 rpi wg-quick[3657]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -> Dec 08 01:07:25 rpi systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
wg
interface: wg0 public key: NIAw/S0vuAaTNEl570KEcDn8siOk/cew8zQdge9NWBs= private key: (hidden) listening port: 51840 fwmark: 0xca6c
peer: E9xFybyF+vN6vScmbZIJdjqHaaTGRwPE7TuMzC+14HU= allowed ips: 0.0.0.0/0 persistent keepalive: every 25 seconds
Could you help me?
Thank you. All the best
victorrodriguez1984
commented
6 months ago Hello
Hi!
I just installed it and configured my first client (cellphone:
Rymwdk7D22n2NR5BburXrl0b9F0X84ekmMCifUS95Tg=), and everything worked great.Then I set up my laptop (
neN+LnFpJ2FiuBhWVGr/VLl4ubu9cOKyI1K0VUZFSnk=) and I though everything worked great, but my cellphone stopped working...This is my configuration:
show configuration commands | grep wg0 set interfaces wireguard wg0 address 192.168.43.1/24 set interfaces wireguard wg0 listen-port 51820 set interfaces wireguard wg0 mtu 1420 set interfaces wireguard wg0 peer Rymwdk7D22n2NR5BburXrl0b9F0X84ekmMCifUS95Tg= allowed-ips 192.168.43.0/24 set interfaces wireguard wg0 peer neN+LnFpJ2FiuBhWVGr/VLl4ubu9cOKyI1K0VUZFSnk= allowed-ips 192.168.43.0/24 set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 route-allowed-ips true set service dns forwarding listen-on wg0 ubnt@r6:~$ sudo wg interface: wg0 public key: PoPzKDTHmSqeHlI/6vu1oobLyFnBCuBjRhRsD/l86AY= private key: (hidden) listening port: 51820 peer: Rymwdk7D22n2NR5BburXrl0b9F0X84ekmMCifUS95Tg= endpoint: 77.18.XXX.XXX:2187 allowed ips: (none) latest handshake: 14 hours, 52 minutes, 52 seconds ago transfer: 235.74 MiB received, 365.42 MiB sent peer: neN+LnFpJ2FiuBhWVGr/VLl4ubu9cOKyI1K0VUZFSnk= endpoint: 77.18.XXX.XXX:15427 allowed ips: 192.168.43.0/24 latest handshake: 3 days, 17 hours, 54 minutes, 3 seconds ago transfer: 301.63 MiB received, 361.54 MiB sent sudo wg showconf wg0 [Interface] ListenPort = 51820 PrivateKey = 6N5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXko= [Peer] PublicKey = Rymwdk7D22n2NR5BburXrl0b9F0X84ekmMCifUS95Tg= Endpoint = 77.18.XXX.XXX:2187 [Peer] PublicKey = neN+LnFpJ2FiuBhWVGr/VLl4ubu9cOKyI1K0VUZFSnk= AllowedIPs = 192.168.43.0/24 Endpoint = 77.18.XXX.XXX:15427
Hello, I think it is a normal behaviour, if a different tunnel have duplicated IPs on "Allowed IP" latest establised becomes as
alconino
commented
4 months ago Hello, I think it is a normal behaviour, if a different tunnel have duplicated IPs on "Allowed IP" latest establised becomes as I suposse to not forward interesting traffic on both established tunnels. In case of a list of "Allowed Ips" an only one of them is duplicated, all the rest are included but duplicated is ignored.
ok, thanks, I'll keep trying to adjust the settings, it still doesn't work as I expect.
Hi!
I just installed it and configured my first client (cellphone:
Rymwdk7D22n2NR5BburXrl0b9F0X84ekmMCifUS95Tg=), and everything worked great.Then I set up my laptop (
neN+LnFpJ2FiuBhWVGr/VLl4ubu9cOKyI1K0VUZFSnk=) and I though everything worked great, but my cellphone stopped working...This is my configuration: